From 6c8593d4568b59770aeb5b2cfa1fdc23ac422523 Mon Sep 17 00:00:00 2001 From: Timothy J Fontaine Date: Fri, 17 Oct 2014 15:16:26 -0700 Subject: crypto: move disaling SSLv2/3 into JavaScript --- lib/crypto.js | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'lib/crypto.js') diff --git a/lib/crypto.js b/lib/crypto.js index d1c9eb5d2..2da66ad8f 100644 --- a/lib/crypto.js +++ b/lib/crypto.js @@ -37,6 +37,8 @@ try { var crypto = false; } +var constants = process.binding('constants'); + var stream = require('stream'); var util = require('util'); @@ -57,6 +59,8 @@ function toBuf(str, encoding) { var assert = require('assert'); var StringDecoder = require('string_decoder').StringDecoder; +var CONTEXT_DEFAULT_OPTIONS = undefined; + function Credentials(secureProtocol, flags, context) { if (!(this instanceof Credentials)) { return new Credentials(secureProtocol, flags, context); @@ -78,7 +82,20 @@ function Credentials(secureProtocol, flags, context) { } } - if (flags) this.context.setOptions(flags); + if (CONTEXT_DEFAULT_OPTIONS === undefined) { + CONTEXT_DEFAULT_OPTIONS = 0; + + if (!binding.SSL3_ENABLE) + CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv3; + + if (!binding.SSL2_ENABLE) + CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv2; + } + + if (flags === undefined) + flags = CONTEXT_DEFAULT_OPTIONS; + + this.context.setOptions(flags); } exports.Credentials = Credentials; -- cgit v1.2.1 From 1349b680badeb5d08ad82811af8350dc3e0f0397 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Sat, 18 Oct 2014 04:47:05 +0400 Subject: crypto: allow forcing SSLv2/v3 via secureProtocol Force-enable SSLv2/v3 when `secureProtocol` is explicitly set to `SSLv2_method` or `SSLv3_method`. see discussion at #8551 --- lib/crypto.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'lib/crypto.js') diff --git a/lib/crypto.js b/lib/crypto.js index 2da66ad8f..f88c55d0a 100644 --- a/lib/crypto.js +++ b/lib/crypto.js @@ -92,8 +92,14 @@ function Credentials(secureProtocol, flags, context) { CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv2; } - if (flags === undefined) - flags = CONTEXT_DEFAULT_OPTIONS; + if (flags === undefined) { + if (secureProtocol === undefined || + secureProtocol === 'SSLv23_method' || + secureProtocol === 'SSLv23_server_method' || + secureProtocol === 'SSLv23_client_method') { + flags |= CONTEXT_DEFAULT_OPTIONS; + } + } this.context.setOptions(flags); } -- cgit v1.2.1 From b9283cf9d17a51f9654b438216ecb743ed69a7ce Mon Sep 17 00:00:00 2001 From: Timothy J Fontaine Date: Wed, 22 Oct 2014 10:27:56 -0700 Subject: tls: honorCipherOrder should not degrade defaults Specifying honorCipherOrder should not change the SSLv2/SSLv3 defaults for a TLS server. Use secureOptions logic in both lib/tls.js and lib/crypto.js --- lib/crypto.js | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) (limited to 'lib/crypto.js') diff --git a/lib/crypto.js b/lib/crypto.js index f88c55d0a..597d196f2 100644 --- a/lib/crypto.js +++ b/lib/crypto.js @@ -61,6 +61,31 @@ var StringDecoder = require('string_decoder').StringDecoder; var CONTEXT_DEFAULT_OPTIONS = undefined; +function getSecureOptions(secureProtocol, secureOptions) { + if (CONTEXT_DEFAULT_OPTIONS === undefined) { + CONTEXT_DEFAULT_OPTIONS = 0; + + if (!binding.SSL3_ENABLE) + CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv3; + + if (!binding.SSL2_ENABLE) + CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv2; + } + + if (secureOptions === undefined) { + if (secureProtocol === undefined || + secureProtocol === 'SSLv23_method' || + secureProtocol === 'SSLv23_server_method' || + secureProtocol === 'SSLv23_client_method') { + secureOptions |= CONTEXT_DEFAULT_OPTIONS; + } + } + + return secureOptions; +} +exports._getSecureOptions = getSecureOptions; + + function Credentials(secureProtocol, flags, context) { if (!(this instanceof Credentials)) { return new Credentials(secureProtocol, flags, context); @@ -82,24 +107,7 @@ function Credentials(secureProtocol, flags, context) { } } - if (CONTEXT_DEFAULT_OPTIONS === undefined) { - CONTEXT_DEFAULT_OPTIONS = 0; - - if (!binding.SSL3_ENABLE) - CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv3; - - if (!binding.SSL2_ENABLE) - CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv2; - } - - if (flags === undefined) { - if (secureProtocol === undefined || - secureProtocol === 'SSLv23_method' || - secureProtocol === 'SSLv23_server_method' || - secureProtocol === 'SSLv23_client_method') { - flags |= CONTEXT_DEFAULT_OPTIONS; - } - } + flags = getSecureOptions(secureProtocol, flags); this.context.setOptions(flags); } -- cgit v1.2.1